Monday, January 17, 2011

Introduction to Sguil and Squert: Part 1

This post is the first in a multi-part series designed to introduce Sguil and Squert to beginners.

1. Download Security Onion 20110116.
2. Boot the ISO and run through the installer.
3. Reboot into your new Security Onion installation and login using the username/password you specified in the previous step.
4. Double-click the Setup script on the Desktop and follow the prompts to configure and start the Sguil processes.
5. Double-click the Sguil desktop icon. Log into Sguil using the username/password you specified in the previous step. There may already be some alerts in the Sguil console. If not, open Firefox and click the testmyids.com bookmark and you should then see an alert appear in Sguil.

6. Double-click the Squert desktop icon. The Squert main page appears. Click the "submit" button. Snort alerts appear at the bottom of the page and they should match what you saw in Sguil.

7. Go back to Sguil, select an alert, and press the F8 key to expire it. Notice that the alert disappears from Sguil.

8. Go back to Squert and click the "submit" button again. Notice that the alert remains in Squert. Sguil's main console shows events that have not yet been classified, so we need to tell Squert to do the same. Click the "Status" drop-down box and select "Unclassified". Click the "submit" button and notice that the alert is now gone.

In this post, we've covered the following:

Logging into Sguil and Squert

generating an IDS alert

expiring an IDS alert

Configuring Squert to show Unclassified events to match the main Sguil window

I just added wlan support for you. Download the Security Onion Upgrade Script and run it from a terminal like this:sudo bash security-onion-upgrade.sh

Setup should then be able to detect wlan interfaces. If you've already run setup, you'll probably want to run nsm_all_del (from the terminal or from the NSM menu) to delete your sensors so that Setup can run properly.

Thanks, Doug, but that doesn't seem to have worked. I followed your instructions, bur sguil still only shows eth0 and ossec as the networks to monitor. I had wlan0 up and running, connected to my wireless network and the Internet before running the script. The script simply returned tot he command prompt, it gave no messages.

"Setup should then be able to detect wlan interfaces. If you've already run setup, you'll probably want to run nsm_all_del (from the terminal or from the NSM menu) to delete your sensors so that Setup can run properly. "

It sounds like you need to execute the following:nsm_all_delSetup

In Setup, make sure to choose Advanced Setup and then in the interfaces step of Setup you should see wlan0 as an option.

Are you running in Live mode, or did you actually run through the Installer? If you're running in Live mode, you may see strange things happen when you run out of RAM and the kernel starts killing processes. Live mode is fine for quick demonstrations and verifying hardware compatibility, but for any production usage you'll want to be running a fully installed version.

I just put up two new blog posts which demonstrate the Upgrade script and the nsm_all_del script. If you're not seeing the same kind of output shown in these posts, then something is wrong (perhaps you're running in Live mode and the kernel Out Of Memory killer is killing processes as I mentioned above).

Hi All going very well with SO installed as well as Sguil and Snorby. However, I am getting the message that 'rule download sites appear to by down. Skipping rule updates'.Can anyone give me steer on this.ThanksLuke

Security Onion

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!